Statfier: Automated Testing of Static Analyzers via Semantic-preserving Program Transformations
Static analyzers use rule checkers to verify the reliability, performance, and readability of programs. One of the key limitations of static analyzers is the failure to produce accurate analysis results (i.e., they generate too many spurious warnings or miss significant defects). To ensure the reliability of a static analyzer, developers usually manually write tests involving input programs and the corresponding expected analysis results. Meanwhile, a rule checker may include example programs in its documentation to help users understand each rule. Our key insight is that we can reuse programs extracted either from the official test suite or documentation and apply semantic-preserving transformations to them to generate variants. We studied the quality of input programs from these two sources and found that most rules in static analyzers are covered by at least one input program, implying the potential of using these programs as the basis for test generation. We present Statfier, a heuristic-based automated testing approach for static analyzers that generates program variants via semantic-preserving transformations and detects inconsistencies between the original program and variants (indicate inaccurate analysis results in the static analyzer). To select variants that are more likely to lead to new bugs, Statfier leverages two key heuristics: (1) analysis report guided location selection that uses program locations in the reports produced by static analyzers to perform transformations and (2) structure diversity driven variant selection that chooses variants with different program contexts and diverse types of transformations. Our experiments with five popular static analyzers show that Statfier can find 79 bugs in these analyzers, of which 46 have been confirmed.